TheImplicationsoftheNewEuropeanGeneralDataProtectionRegulation(GDPR)

TownsendFeehand,ChiefExecutiveOfficer,IABEuropeThomasDuhr,ExecutiveVice-PresidentInteractive,IPDeutschlandGmbHDaveGrimaldi,ExecutiveVicePresident,PublicPolicy,IABAlexPropes,Director,PublicPolicy,IAB

Implications of the new General Data Protection Regulation (GDPR)

IAB Global Summit, New York, 31 October 2017

§ Key elements of the GDPR (refresher)§ Preparing for compliance: how European industry and enforcement authorities

are getting ready for May 2018 § The wild card – ePrivacy

Key elements of GDPR

Not everything is new, but….§ Non-EU companies are more clearly subject to EU rules if

§ Marketing goods & services to EU users § Monitoring their behaviour

§ Broad definition of personal data (directly or indirectly identifiable) includes pseudonymised data§ Narrower legal bases than in the 1995 Directive§ New & extended rights for users (see detailed slide)§ New & extended obligations on data controllers (see detailed slide)§ No more prior approval requirement but data protection impact assessments for profiling§ Administrative fines up to 4% of annual turnover for infringements§ Joint & several liability§ Beefed-up EU-level enforcement authority

Key elements of GDPR (2)

Broad definition of personal data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Language explicitly stating that there might be situations where cookies and other online identifiers were not personal data was taken out in late-stage negotiations.

Key elements of GDPR (3)

Narrower legal bases than 1995 Directive§ Legitimate interest

§ Wider range of user “interests” can be adduced to challenge data processing

§ Indicative list of examples cites fraud prevention, network security (direct marketing too but not necessarily helpful)

Key elements of GDPR (4)

Narrower legal bases than 1995 Directive (cont’d)§ Consent

§ A clear, affirmative act – silence, pre-ticked boxes or inactivity may not be construed as expressing consent

§ “Freely-given”§ Specific § Informed§ Data controller must be able to demonstrate that data

subject consented

Key elements of GDPR (5)

Narrower legal bases than 1995 Directive (cont’d):§ “Freely-given” means:

§ User must have “genuine” choice and be able to refuse or withdraw consent “without detriment”

§ No “imbalance” between the user and the data controller§ User cannot be obliged to consent to data processing that is

not necessary to provide the service he or she has requested

Key elements of GDPR (6)New & extended rights for users§ Right of access to your data§ Right to rectification§ Right to erasure (‘right to be forgotten’)§ Right to restrict processing§ Right to data portability§ Right to object § Right not to be subject to decisions based on profiling that have legal or “similar”

effects

Key elements of GDPR (7)New & extended obligations for data controllers § Transparency & information to users:

§ Identity & contact details of the controller§ Contact details of the Data Protection Officer§ Purposes of data processing§ Legal basis for processing§ Legitimate interests pursued by the controller, if applicable§ Recipients or category of recipients to whom data are disclosed§ Information about any transfers of data outside the EU§ Length of time data will be stored§ Existence of rights to access & rectification, right to withdraw

consent§ Information on profiling, if any

Preparing for compliance § Two year adaptation period for industry and

enforcers – deadline => May 2018

§ F2F consultations with EU institutions:§ DG JUST industry roundtables

& multi-stakeholder meetings / expert group on GDPR

§ Article 29 Working Party(WP29) “FabLabs” for industry & civil society to test views on areas they aim to issue guidance on

IAB Europe GDPR Implementation Group (“GIG”) draws in national IABs, NAI

Preparing for compliance (2) WP29 GDPR guidance already issued on:

§ Data portability§ Data Protection Officers§ Data Protection Impact

Assessments

WP29 currently soliciting input on draft guidelines on:

§ Data breach notification§ Profiling

Preparing for compliance (3) § IAB Europe GDPR Implementation

Group (“GIG”) pulls together national IABs, NAI to develop common approaches on compliance challenges, exchange news on national-level developments

§ Prioritising consent, data protection impact assessments

§ Next F2F meeting next week in Brussels

ePrivacy proposal

§ Replacement of the 2002 “cookie Directive”, part of EU telecom law

§ “Privacy” as a separate right under the Charter of Fundamental Rights

§ Institutional logic made cookie rules inevitable

§ WRT cookies, overlap with GDPR means new proposal was redundant and unnecessary from the start, and could only erode the position further for online advertising

ePrivacy proposal – two key elements

§ Reduces multiple legal bases for data processing laid down in the EU General Data Protection Regulation (GDPR) to only one: opt-in, prior consent of the user

§ Requires browser manufacturers to offer users the possibility of blocking third-party tracking at browser or operating system level and forces users to make a choice (block/don’t block) at first use

JUSTIFYINGACCESSTOADEVICEWITHALEGITIMATEINTERESTISNOTPOSSIBLE!

ePrivacy proposal – European Parliament first reading outcome

WRT legal basis,§ No new exceptions for advertising, and exception for processing

necessary for delivery of an online service is now narrower (“strictly technically necessary”) Websites may not refuse access to users who withhold consent for data processing

§ Worse, EP text would give users a legal entitlement to access any data-driven ad-supported site for free:

“No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent… to the processing of personal information and/or the use of the storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality.”

Publishers would have no way to incentivise people to use the ad-supported version.

ePrivacy proposal – European Parliament first reading outcome

§ WRT browser settings, § Default must be no third party access or storage § Users must be prompted either to confirm or change the

setting at first use / setup

First reading result amounts to a surgical attack on data-driven advertising and the ad-supported business model.

ePrivacy proposal – European Parliament first reading outcome

§ Tracking remains toxic in Brussels (cf. MEP Sippel reference to “industry lies” and NO opposing statement prior to the Plenary vote)

§ On expropriation item, DG CONNECT privately admit to discomfort§ IAB Europe meeting with new Commissioner in early November§ Council deliberations are slower and will hopefully produce a more rational result§ Late engagement by political leaders in EP may give grounds for some hope in

trilogues§ Search for “actionable” lessons to apply in next phase

”““There might well be a market for personal data, just like there

is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation.”

-- Giovanni Buttarelli, European Data Protection Supervisor, March 2017

Thank you!